[Pkg-mediawiki-commits] r301 - in mediawiki/sid-sec/debian: . patches

[Thorsten Glaser]

Author: tg
Date: 2012-01-20 16:18:44 +0000 (Fri, 20 Jan 2012)
New Revision: 301

Removed:
   mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch
Modified:
   mediawiki/sid-sec/debian/changelog
   mediawiki/sid-sec/debian/patches/series
Log:
revert one of the recent patches, 1.15 was unaffected and it broke things


Modified: mediawiki/sid-sec/debian/changelog
===================================================================
--- mediawiki/sid-sec/debian/changelog	2012-01-15 00:48:37 UTC (rev 300)
+++ mediawiki/sid-sec/debian/changelog	2012-01-20 16:18:44 UTC (rev 301)
@@ -1,3 +1,14 @@
+mediawiki (1:1.15.5-7) unstable; urgency=high
+
+  * debian/patches/CVE-2011-4360.patch: remove – the information
+    disclosure does not happen on 1.15 and the patch would not
+    work anyway because the OutputPage object has no setTitle
+    method (this prevents a PHP fatal error when someone has no
+    permissions, instead reverting to the pre-1:1.15.5-4 behaviour
+    of showing a page asking the user to log in)
+
+ -- Thorsten Glaser <tg at mirbsd.de>  Fri, 20 Jan 2012 17:13:28 +0100
+
 mediawiki (1:1.15.5-6) unstable; urgency=low
 
   [ Thorsten Glaser ]

Deleted: mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch
===================================================================
--- mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch	2012-01-15 00:48:37 UTC (rev 300)
+++ mediawiki/sid-sec/debian/patches/CVE-2011-4360.patch	2012-01-20 16:18:44 UTC (rev 301)
@@ -1,31 +0,0 @@
-Description: CVE-2011-4360
- Alexandre Emsenhuber discovered an issue where page titles on private
- wikis could be exposed bypassing different page ids to index.php. In the
- case of the user not having correct permissions, they will now be
- redirected to Special:BadTitle.
-Origin: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/104506
-Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=32276
-Bug-Debian: http://bugs.debian.org/650434
-Forwarded: not-needed
-Last-Update: 2011-11-30
-
-
---- mediawiki-1.15.5.orig/includes/Wiki.php
-+++ mediawiki-1.15.5/includes/Wiki.php
-@@ -149,6 +149,16 @@
- 		# the Read array in order for the user to see it. (We have to check here to
- 		# catch special pages etc. We check again in Article::view())
- 		if( !is_null( $title ) && !$title->userCanRead() ) {
-+			// Bug 32276: allowing the skin to generate output with $wgTitle
-+			// set to the input title would allow anonymous users to
-+			// determine whether a page exists, potentially leaking private data. In fact, the
-+			// curid and oldid request  parameters would allow page titles to be enumerated even
-+			// when they are not guessable. So we reset the title to Special:Badtitle before the
-+			// permissions error is displayed.
-+			$badtitle = SpecialPage::getTitleFor( 'Badtitle' );
-+			$output->setTitle( $badtitle );
-+			$wgTitle = $badtitle;
-+
- 			$output->loginToUse();
- 			$output->output();
- 			$output->disable();

Modified: mediawiki/sid-sec/debian/patches/series
===================================================================
--- mediawiki/sid-sec/debian/patches/series	2012-01-15 00:48:37 UTC (rev 300)
+++ mediawiki/sid-sec/debian/patches/series	2012-01-20 16:18:44 UTC (rev 301)
@@ -13,7 +13,6 @@
 CVE-2011-1579.patch
 CVE-2011-1580.patch
 CVE-2011-1587.patch
-CVE-2011-4360.patch
 CVE-2011-4361.patch
 khtml_not_ff9.patch
 CVE-2012-0046.patch